This week’s security news include US Agencies being urged to fix Ivanti VPNs that are being hacked
The Microsoft Incident in the Midnight Blizzard: A New SEC Rule That Makes Private Companies Interested in Security Management (SVR)
Intelligence-gathering is the main focus of the SVR. It primarily targets governments, diplomats, think tanks and IT service providers in the U.S. and Europe.
In a blog post, Microsoft said the intrusion began in late November and was discovered on Jan. 12. It said the same highly skilled Russian hacking team behind the SolarWinds breach was responsible.
Microsoft calls the hacking unit Midnight Blizzard. Last year it was renamed the group Nobleium and used the threat-actor name. The cybersecurity firm Mandiant, owned by Google, calls the group Cozy Bear.
In Friday’s SEC regulatory filing, Microsoft said that “as of the date of this filing, the incident has not had a material impact” on its operations. It doesn’t know whether the incident will impact its finances.
Microsoft said the Russians gained access to a “legacy” account by compromising credentials, and that the code on the account was outdated. After gaining a foothold, they used the account’s permissions to access the accounts of the senior leadership team and others. The brute-force attack technique used by the hackers is called “password spraying.”
The new SEC rule that took effect last month forced publicly traded companies to give more detail about their breeches that could hurt their business. It gives them four days to do so unless they obtain a national-security waiver.
Human trafficking in Myanmar’s military braneworld: How Walmart is failing to respond to a Russian hacker’s attack on Microsoft Teams chats
The threat actor tries to log into multiple accounts by using a single password. In an August blog post, Microsoft described how its threat-intelligence team discovered that the same Russian hacking team had used the technique to try to steal credentials from at least 40 different global organizations through Microsoft Teams chats.
In a new investigation, Consumer Reports and The Markup crowdsourced three years of archived Facebook data from 709 users of the social network to assess which data brokers and other organizations are tracking and monitoring them. The reporters found that 186,891 companies sent data about 709 individuals to Facebook. On average, each of those users had information sent to Facebook about them by 2,230 companies. There were different number, though. Some users had less than the average while others had so many companies that they gave information to the social network.
The UN estimates that there may be as many as 100,000 people held in scam centers in Cambodia and 120,000 in Myanmar. “I’ve worked in this space for over 20 years and to be honest, we’ve never seen anything like what we’re seeing now in Southeast Asia in terms of the sheer numbers of people,” Rebecca Miller, regional program director for human trafficking at the UN Office on Drugs and Crime told Vox.
As rebel groups in Myanmar violently oppose the country’s military government, the human trafficking and abuse fueling pig butchering scams is exacerbating the conflict. The scam has boomed in recent years not only by bad actors but by forced laborers who have been kidnapped and held against their will. In one case this fall, a collection of rebel groups in Myanmar known as the Three Brotherhood Alliance took control of 100 military outposts in the country’s northern Shan state and seized several towns along the border with China, vowing to “eradicate telecom fraud, scam dens and their patrons nationwide, including in areas along the China-Myanmar border.”
Gift card scams in which attackers trick victims into purchasing gift cards for them are a long-standing issue, but new reporting from ProPublica shows how Walmart has been particularly remiss in addressing the problem. For a decade, the retailer has skirted pressure from both regulators and law enforcement to more closely scrutinize gift card sales and money transfers and expand employee training that could save customers from being tricked and exploited by bad actors. ProPublica conducted many interviews and reviewed internal documents in its analysis.
Source: Security News This Week: US Agencies Urged to Patch Ivanti VPNs That Are Actively Being Hacked
Protecting Your Privacy and Privacy with Ivanti Connect Secure, a VPN Solution to the 2018 Chinese Cybersecurity and Infrastructure Security Act (CISA)
Ivanti’s product series called pulse secure was re-christened as Ivanti Connect Secure. In 2021. there were many high-profile digital hacks carried out by Chinese state-backed hackers.
On Friday, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two vulnerabilities that are being actively exploited in the popular VPN appliances Ivanti Connect Secure and Policy Secure. CISA’s executive assistant director, Eric Goldstein, told reporters that CISA has notified every federal agency that is running a version of the products, amounting to “around” 15 agencies that have applied mitigations. “We are not assessing a significant risk to the federal enterprise, but we know that risk is not zero,” Goldstein said. He added that investigations are ongoing into whether any federal agencies have been compromised in the attackers’ mass exploitation spree.
And there’s more. We didn’t break or cover much of the security and privacy news ourselves, but we do round it up each week. Stay safe, and click the headline to read the full story.
The data broker X-Mode which is now known as Outlogic was fined $200,000 by the Federal Trade Commission over its sale of location data from phone apps to the US government. While the action was hailed by some as a historic privacy win, it also illustrates the limitations of the FTC and the US government’s data privacy enforcement power and the ways in which many companies can avoid scrutiny and consequences for failing to protect consumers’ data.
A major coordinated disclosure this week called attention to the importance of prioritizing security in the design of graphics processing units (GPUs). Researchers published details about the “LeftoverLocals” vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could be exploited to steal sensitive data, such as responses from AI systems. Meanwhile, new findings from the cryptocurrency tracing firm Chainalysis show how stablecoins that are tied to the value of the US dollar were instrumental in cryptocurrency-based scams and sanctions evasion last year.
